The WebMail Access restrictions tab lets you configure rarely used settings for the WebMail & administration server component of VPOP3.

The Allow Password in URL option allows you to create links to Webmail/admin containing the user's password. There is a security risk involved with this, especially if the password is sent in plain text, but some people find it convenient, and it can be useful for automating some administrative processes. To specify the username and password in the URL, add parameters user= and either password= or md5pass= to the URL, e.g. http://server:5108/admin/index.html?user=postmaster&password=admin or http://server:5108/admin/index.html?user=postmaster&md5pass=2da07a809e1c95d0440b9b4ea92e906c. The md5pass parameter is an MD5 hex digest (lower-case) of the "<username>+<password>", eg the above is the MD5 hash of "postmaster+admin" for the default administrator login. Using the MD5 hash helps with hiding the password, but will not prevent replay attacks, and the original password may still be discovered with sufficient resources.

The Allow different client addresses for a Web Mail session option means that VPOP3 does not associate a login session with a particular IP address. This makes it more vulnerable to replay attacks, since if someone can capture the session cookie which is being used, that could be used from another computer (until it expires). However, this option is sometimes needed for people accessing the WebMail service from behind a proxy server farm, or other shared address pool (e.g. some mobile phone companies).

The Support CalDAV scheduling extension option enables or disables the experimental support for RFC 6638 automatic scheduling extensions to the CalDAV service. This is currently not fully implemented in VPOP3, and it could cause some problems for some CalDAV clients, so you can disable it if you wish or need. If this is disabled then free/busy viewing may not be available in some CalDAV clients.

The Support different CalDAV authentication realms for different accounts option makes VPOP3 behave slightly out of the standard and it will request different authentication details for different calendar access. This can help with accessing several accounts from Mozilla Lightning, but can cause issues with other CalDAV clients such as the ones from Apple. We recommend this is turned off unless you need it.

The Mail HTML Pages setting tells VPOP3 where to find the content for the WebMail & administration facilities. Usually it will be the _webmail folder inside the main VPOP3 installation folder, but there are cases where you may want to change it.

The Apply account lockout policy to WebMail/Admin even when connecting from 127.0.0.1 option tells VPOP3 to lock accounts if there are too many failed login attempts, even from the VPOP3 computer using the 127.0.0.1 loopback address. We recommend that this is left off all the time, as you may make it impossible to access the VPOP3 settings if you are unsure of the password. If the option is off, then accounts will be locked if they are accessed from other IP addresses, so that will help to protect against remote attacks. If an attacker has access to the VPOP3 computer in order to be able to use the loopback address, then you have bigger issues to worry about!

The Encrypt login passwords when transmitting over the network option tells VPOP3 to use a challenge-response MD5 one-way hash of passwords when they are sent over the network from the Webmail login page. This helps to protect against network snooping, and is usually recommended. It is not necessary if you are using HTTPS encryption of sessions in VPOP3 Enterprise, as all the data is encrypted in that case. Note that if you use this option, then you cannot tell VPOP3 to automatically use Windows passwords when logging into Webmail. The Windows login APIs require VPOP3 to supply the passwords in plain-text, which is not possible if they have been encrypted using a one-way hash.

The Use the same browser tab for Webmail & Admin pages option tells VPOP3 to use the same browser window/tab when a user switches between WebMail & Admin modes. Otherwise it will open two different tabs, one for each mode.

The Default folder names section lets you specify the WebMail folder names used by default for Sent Items, Deleted Items, and Draft messages. Users can change these folder names afterwards, so these settings will not apply to existing user accounts, but will apply to any new accounts which are created.